Verizon employees fired after peeping Obama cell records

Several Verizon Wireless employees have been suspended after the company …

Verizon Wireless has fired several employees who improperly accessed Barack Obama's cell phone records, which may have included billing data revealing who the president elect spoke with, and when.

The mobile in question was not the Blackberry that Obama is reluctantly giving up when he moves into the White House, but a plain-vanilla flip phone that had been inactive for several months. Neither e-mails nor the contents of any calls would have been exposed, but the account information may have included the type of list of incoming and outgoing calls, with their times and durations, found on a monthly billing statement.

In a public announcement of the breach on Thursday, Verizon Wireless CEO Lowell McAdam apologized to Obama, and explained that all employees who had accessed Obama's records—whether they were authorized to do so or not—would be placed on paid leave pending an internal investigation. McAdam said those found to have pulled up Obama's file improperly would face "disciplinary action"—which an internal e-mail obtained by CNN made clear might include termination.

The internal e-mail also noted that federal law enforcement had been notified of the breach, though the Obama campaign was not aware of any criminal investigation. Nor, indeed, is it immediately obvious that a crime has been committed.

Privacy statutes tend to focus on the contents of communications, not on metadata like billing records. The Stored Communications Act penalizes unauthorized access to communications themselves—such as stored e-mails—and also prohibits disclosure of noncontent records to any government entity, but does not otherwise appear to cover unauthorized use of call records.

If the employees who looked at the information "made false or fraudulent statements" in "interstate commerce" in order to gain access, however, their actions may conceivably fall under the Telephone Records Protection Act of 2006, which was intended to ban the practice of "pretexting." That law also provides penalties—including fines and up to 10 years in jail—for anyone who attempts to sell or transfer confidential records. In short, if the employees either obtained access via deception or shared the records they'd obtained across state lines, the TRPA may apply.

But the federal law most likely to be applied in this instance, according to George Washington University law professor Orin Kerr, is the computer fraud statue, section 1030 of the criminal code. That law also provides for penalties, up to a 10-year prison sentence, for anyone who "intentionally accesses a computer without authorization or exceeds authorized access" in order to obtain information from a protected computer. Until recently, the statute contained a similar requirement that the unauthorized access involve an interstate or foreign communication, but Kerr told Ars that Congress recently removed that requirement, meaning it might apply to an employee who accessed information beyond their authorization even on a local machine.

Call records are protected, the preface to the TRPA explains, because "logs may reveal the names of telephone users' doctors, public and private relationships, business associates, and more."

The article above has been modified from its original version to reflect the firing of several of the employees who had been suspended.